package com.cs410.collabwriting.filters;

import java.io.IOException;
import java.util.Enumeration;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.cs410.collabwriting.tools.LogManager;



/**
 * Servlet Filter implementation class VulnerabilityFilter
 */
@WebFilter("*")
public class VulnerabilityFilter implements Filter {

    /**
     * Default constructor. 
     */
    public VulnerabilityFilter() {
        // TODO Auto-generated constructor stub
    }

	/**
	 * @see Filter#destroy()
	 */
	public void destroy() {
		// TODO Auto-generated method stub
	}

	/**
	 * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
	 */
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
		// TODO Auto-generated method stub
		// place your code here
		HttpServletRequest httpRequest = (HttpServletRequest) request;
		HttpServletResponse httpResponse = (HttpServletResponse) response;
		
		boolean safe = isSafeFromXSSAttacks( httpRequest, httpResponse );

		if( !safe ) { return; }

		// pass the request along the filter chain
		chain.doFilter(request, response);
	}

	private boolean isSafeFromXSSAttacks(HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws IOException {
		Enumeration<String> param = httpRequest.getParameterNames();
		while( param.hasMoreElements() ) {
			String paramName = param.nextElement();
			for( String value : httpRequest.getParameterValues( paramName) ) {
				boolean vulnerable = isVulnerableToXSS( value );
				if( vulnerable ) { 
					LogManager.logWarning("[VulnerabilityFilter][XSS-Attack] -- " + httpRequest.getRemoteHost() + " ::" + httpRequest.getRequestURL() + "::");
					httpResponse.sendRedirect(" A VALID PATH HERE " ); // TODO:
					return false;
				}
				if( value.indexOf('\u0000') >= 0 ) {
					return false;
				}
			}
		}
		return true;
	}

	private boolean isVulnerableToXSS(String value) {
		int startBracket = value.indexOf("<");
		while( startBracket >= 0 ) {
			int endBracket = value.indexOf(">", startBracket + 1);
			if( endBracket > 0 ) {
				String subString = value.substring( startBracket + 1, endBracket );
				subString = subString.trim();
				if( subString.compareToIgnoreCase("script") == 0 || 
					subString.compareToIgnoreCase("script/") == 0 ||
					subString.compareToIgnoreCase("/script") == 0) {
					return true;
				}
			}
			startBracket = endBracket;
		}
		return false;
	}
	
	/**
	 * @see Filter#init(FilterConfig)
	 */
	public void init(FilterConfig fConfig) throws ServletException {
		// TODO Auto-generated method stub
	}


}
